The Rise of Banking Trojans and Angler Phishing

Proofpoint’s Latest Quarterly Threat Report – May 2018, provides an update on the latest observed trends and takeaways on today’s advanced attacks. Here are some of the key takeaways from the report.

Email Threats And Email Fraud On The Rise

Email fraud is growing in both scale and pervasiveness. Successful email-based attacks can result in large direct financial losses to companies.  Companies are increasingly being targeted and are being attacked more frequently. Proofpoint observed that 40% of organizations targeted by email fraud (including business email compromise) were attacked between 10 and 50 times. The number of companies targeted by more than 50 attacks was up 20% from the previous quarter.

Roughly 90% of businesses were targeted and, on average, each of these organizations received 28 email fraud attacks in Q1. This was an increase of 36% from the previous quarter and 28% compared to the same quarter a year ago.

Banking Trojans Take The Top Spot

Banking Trojans have displaced ransomware as the top malware in email.  They accounted for almost 59% of all malicious email payloads in Q1.  The bulk of the remaining malicious payloads, were credential stealers and downloaders made up comprising email and malicious email.

The most widely distributed banking Trojan, accounting for 57% of all bankers and 33% of all malicious payloads was Emotet.  First documented in 2014, the Emotet banking Trojan has evolved to include anti-analysis tools and the ability to spread laterally on networks.

Social Engineering Schemes Dominate

Web-based attacks remain a major threat vector. Proofpoint reported that Exploit Kit (EK) traffic continued to decline, falling a massive 71% from the previous quarter.  In it’s place, attackers are more heavily concentrating their efforts into social engineering schemes.  Social engineering is the most popular way to launch email attacks, and criminals continue to find new ways to exploit the human factor.  Roughly 95% of web-based attacks are now redirecting into social engineering schemes instead of EKs.

Angler Phishing Explosion

Organizations are engaging customers in new digital channels they do not control, which is an open market for threat actors looking to exploit trusted brands by setting up fraudulent accounts that piggyback on your brand. Social media threats continue to evolve as threat actors look to social platforms for personal information, malware distribution, and more.

The first quarter of 2018 saw an observed explosion of social media support fraud, or “angler phishing” with an increase of 200% from the previous quarter.  Social media support fraud occurs when threat actors insert themselves into a conversation between a legitimate brand and a consumer seeking help with a particular issue, ranging from account login to product support.

Registration of Suspicious Domains

The registration of suspicious domains for ill-intended purposes is on the rise.  Suspicious domains are being used in attacks over social media, the web, and email. Similar to many social media scams, threat actors follow major trends and register domains with the intent to defraud customers.  Proofpoint uses the example of Bitcoin-related domains, where 30% of Bitcoin-related domain registrations in Q1 were suspicious.  Proofpoint observes that suspicious domain registrations outnumber brand-owned defensive registrations by roughly 20 to 1. This emphasizes the need for companies to take a strategic approach to domain management.

Threat and Attack Definitions

Definitions of observed trending threats and attacks found in the latest Proofpoint quarterly report:


This type of malware gives attackers total control over the compromised system. Compromised systems may be infected with additional malware, be subject to information theft, or be used as part of a botnet.


This type of malware steals a victim’s bank login credentials, usually by redirecting the victim’s browser to a fake version of their bank’s website or injecting fake login forms into the real site.


Dridex is a widely used banking Trojan that spreads through a variety of vectors, primarily via email, infecting the victims and stealing banking credentials.


This banking Trojan, first documented in 2014, has evolved to include anti-analysis tools and the ability to spread
laterally on networks.


This type of malware locks away victims’ data by encrypting it, then demands a “ransom” to unlock it with a decryption key.


The ransomware infected tens of thousands of systems across more than 150 countries in May 2017, one the largest cyber attacks on record. It spread through a flaw in a file-sharing component of Microsoft Windows.


In email fraud attacks, an email or series of emails purporting to come from a top executive or partner firm asks the recipient to wire money or send sensitive information. It does not use malicious attachments or URLs, so it can be hard to detect and stop.


In this scam, someone spoofing an executive asks the finance or HR department to send employee records, which are then used for identity theft and other attacks. It is named after the W2 tax form U.S. employers use to report each worker’s wages.


The display name is what appears in the “From:” field when reading the message. It is unrelated to the sender’s actual email address or where any replies are sent—it can be anything. In display-name spoofing, the attacker uses a familiar name and email address to gain the recipient’s trust.


Spoofing impersonates trusted colleagues or contacts by making an attacker’s emails appear to come from
a legitimate and expected address. Some domain spoofing uses lookalike domain names deceptively similar to
the real ones.


Exploit kits (EKs) run on the web, detecting and exploiting vulnerabilities in computers that connect to it. EKs, often sold to attackers as a service, make it easy to infect PCs in “drive-by” malware downloads.


In angler phishing, attackers create fake customer-support accounts on social media to trick people looking for help into visiting a phishing site or providing account credentials.


Actionable Intelligence For Improved Security Posture

Reports like the latest Proofpoint quarterly report provide actionable intelligence that can be used to better protect your organization by helping you to anticipate emerging attacks and better manage your security posture.

These days, with the rise in social engineering schemes and social media fraud you need to fight attacks from a number of fronts in order to protect your brand reputation and customers. This means protecting across social media, email, and mobile.

Preventing email fraud, web-based attacks, and social media fraud requires a multilayered solution that includes email authentication and domain discovery, as well as dynamic classification that can analyze the content and context of emails, stopping display-name and lookalike-domain spoofing at the email gateway.

Contact Ascension Global Technology

For help leveraging an email security solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox contact Ascension Global Technology. We can also help you find a comprehensive social media security solution that scans social
networks and reports fraudulent activity.

You can read the full Proofpoint Q1 2018 report here.

Achieve A Multi-Layered Approach To Security

Start With Leveraging An Email Security Solution To Stop Attacks and Protect Your Employees and Customers

Related Posts

Leave a Reply

About Us

"AGT" offers complete end-to-end security protection through technology tools, cybersecurity strategy, consulting, and project management services. From addressing specific security gaps to a full environment cybersecurity strategy. With services designed to improve any organization’s overall organizational security posture, AGT develops strategies to implement and deploy successful cybersecurity solutions to protect companies from data and financial loss.